Craig wrote:
I'm working on setting up squid_session to point users to an acceptable use
policy before they are allowed to surf and I just want to get a sanity check
on my config.
According the man pages (http://linuxreviews.org/man/squid_session/) and
several posts (i.e.
http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg45599.html) found
in this archive...
I should have the following lines in the TAG acl section of squid.conf:
external_acl_type session ttl=300 negative_ttl=0 children=1
concurrency=200 %LOGIN /usr/lb/squid/squid_session
acl session external session
(note: /usr/lib/squid/ is the where squid_session was put when squid
installed)
Then in the TAG http_access section, I should have the following:
http_access deny !session
But what else do you have? And in what order? The following wouldn't
work...
http_access allow my_net
http_access deny !session
... for someone in "my_net" as http_access processing exits on the
first match.
And finally in the TAG deny_info section, I place the following line:
deny_info http://your.server/bannerpage?url=%s session
making sure that ?url=%s follows whatever url I put there for my AUP page.
?url=%s is an argument passed to "bannerpage" to allow the client to
continue surfing after accepting the AUP, so that sounds good.
Obviously it won't make a bit of difference when using a static banner page.
However, the above settings did not force the test web client (configured to
use the proxy) to view the url for the http://your.server/bannerpage page
(currently a static web page to check functionality), so I changed the first
line to be:
external_acl_type session ttl=300 negative_ttl=0 children=1
concurrency=200 %LOGIN /usr/local/squid/libexec/squid_session -a
This would never start a session. The "-a" argument requires a session
to be explicitly started and also allows a session to be explicitly
ended. This external_acl_type definition does not allow for that.
(note the -a at the end)
However, that just made the web client load the requested page really slow
without loading the url I for the AUP.
Hmmm... If it's not pushing you to the AUP page, it shouldn't have any
effect on the transfer speed.
I don't have a database set up, I was just going to let the memory hold the
session details.
Why isn't it redirecting to the AUP? Any suggestions? Am I missing
something obvious?
Check the order of your http_access lines. Look for clues in your
cache.log.
Thanks.
Craig L. Bowser
Information Assurance Manager
-------------------------------
To lead a symphony You must occasionally turn your back on the crowd. -
Anonymous
Chris
